Page MenuHomePhabricator
Create Task
Maniphest T252762

tools/toolsbeta: improve acme-chief integration
Closed, ResolvedPublic
Actions

Description

We identified several things to fix:

  • some toolforge puppet profiles use letsencrypt::cert::integrated. We would need to migrate to acme_chief::cert. Example: profile::toolforge::mailrelay
  • toolsbeta lacks support for running acme_chief. Among other things, we need a dedicated VM for that.
  • therefore, toolsbeta usually disables TLS, for example in the front-proxy we explicitly disable it. This would be good to improve, to make tools and toolsbeta more similar.

Also, worth noting there has been some conversations on IRC between @Krenair and @Andrew about simplifying the acme_chief setup in CloudVPS in general. Might be related to the problems described here.

Details

SubjectRepoBranchLines +/-
toolforge: mailrelay: migrate TLS cert to acme-chiefoperations/puppetproduction+7 -27
toolforge: mailrelay: introduce support for disabling TLSoperations/puppetproduction+24 -19
keystone: add service user toolsbeta-dns-manageroperations/puppetproduction+1 -0
Customize query in gerrit

Related Objects

Event Timeline

aborrero created this task.May 14 2020, 11:59 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 14 2020, 11:59 AM
aborrero mentioned this in T120225: Toolforge: correctly envelope forwarded email.May 14 2020, 12:02 PM
Stashbot added a comment.May 14 2020, 12:08 PM

Mentioned in SAL (#wikimedia-cloud) [2020-05-14T12:08:39Z] <arturo> created toolsbeta-acme-chief-01 VM (T252762)

Stashbot added a comment.May 14 2020, 12:09 PM

Mentioned in SAL (#wikimedia-cloud) [2020-05-14T12:09:20Z] <arturo> created puppet prefix toolsbeta-acme-chief in horizon (T252762)

Krenair added a comment.May 14 2020, 9:11 PM

do we really want to go down the path of setting acme-chief up in toolsbeta before doing the thing we agreed? I feel like this is basically motivated by T252199: Stop using letsencrypt::cert::integrated and its subtask, see also T252734: Consider moving tools away from acme-chief

aborrero added a comment.May 18 2020, 1:01 PM

Sorry, I forgot what thing we agreed on? Anyway, I agree with everything that simplifies the setup :-)

I'm kind of blocked by this. It would be interesting for me to deploy the email server in Toolsbeta this Q, but the TLS stuff needs work.
How can we collaborate in moving this forward?

PD: Feel free to merge this task to others, whatever you see fit

gerritbot added a comment.May 19 2020, 10:53 AM

Change 597257 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] toolforge: mailrelay: introduce support for disabling TLS

https://gerrit.wikimedia.org/r/597257

gerritbot added a project: Patch-For-Review.May 19 2020, 10:53 AM
gerritbot added a comment.May 19 2020, 11:04 AM

Change 597257 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] toolforge: mailrelay: introduce support for disabling TLS

https://gerrit.wikimedia.org/r/597257

Maintenance_bot removed a project: Patch-For-Review.May 19 2020, 11:10 AM
Andrew moved this task from Inbox to Needs discussion on the cloud-services-team (Kanban) board.May 19 2020, 4:10 PM
Dzahn unsubscribed.May 20 2020, 10:40 AM
aborrero closed this task as Declined.May 20 2020, 3:35 PM

I'm unblocked now. Closing this task in favor of whatever we decide on T252721: cloud-vps solution for Let's Encrypt.

Krenair added a comment.May 20 2020, 5:27 PM

we might still do this, we'll see :)

Krenair reopened this task as Open.May 27 2020, 8:54 PM
aborrero moved this task from Needs discussion to Soon! on the cloud-services-team (Kanban) board.Jun 10 2020, 3:36 PM
gerritbot added a comment.Jun 10 2020, 4:43 PM

Change 604440 had a related patch set uploaded (by Andrew Bogott; owner: Andrew Bogott):
[operations/puppet@production] keystone: add service user toolsbeta-dns-manager

https://gerrit.wikimedia.org/r/604440

gerritbot added a project: Patch-For-Review.Jun 10 2020, 4:43 PM
gerritbot added a comment.Jun 10 2020, 4:47 PM

Change 604440 merged by Andrew Bogott:
[operations/puppet@production] keystone: add service user toolsbeta-dns-manager

https://gerrit.wikimedia.org/r/604440

Andrew added a comment.Jun 10 2020, 5:05 PM

acme-chief is set up and working in toolsbeta now. I haven't actually consumed any of the certs or thought about what certs we need (right now the server is just making one for toolsbeta.wmflabs.org)

Maintenance_bot removed a project: Patch-For-Review.Jun 10 2020, 5:10 PM
aborrero closed this task as Resolved.Jun 11 2020, 8:56 AM
aborrero assigned this task to Andrew.

Thanks!

We can close this task now and reopen if required later.

gerritbot added a comment.Jun 23 2020, 9:33 AM

Change 607251 had a related patch set uploaded (by Arturo Borrero Gonzalez; owner: Arturo Borrero Gonzalez):
[operations/puppet@production] toolforge: mailrelay: migrate TLS cert to acme-chief

https://gerrit.wikimedia.org/r/607251

gerritbot added a project: Patch-For-Review.Jun 23 2020, 9:33 AM
gerritbot added a comment.Jun 23 2020, 4:01 PM

Change 607251 merged by Arturo Borrero Gonzalez:
[operations/puppet@production] toolforge: mailrelay: migrate TLS cert to acme-chief

https://gerrit.wikimedia.org/r/607251

Maintenance_bot removed a project: Patch-For-Review.Jun 23 2020, 4:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL